application: 
UstingofQaims: 



a) a source of rules; 

b) a source of facts; and ,„„„„„icarto„ wito the source otrules and 
, .a,„,sisc„staee— -^^^^^^ 

::::rj:r::r..s.c.^.---- 

(ii) determining which, if any, of the mterenc 

with a rule from the source of rules; ^^^^^^^ 
u ir, wnre that matches a sub-goai, appiyuig 

rtr:: :r."::-pare„.s..oo..ersu..o^^^^^ 

chauurrg from that sub g P ^^^^ 

„ng -^^^^'J to use continuations to schedule *e 
wherein the analysis engine rs further gu ^^^^^^^ 

4. (Canceled) 
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\n claim 3 wherein the analysis engine is configured to 
5. (Original) The system as recited in claim 3, wne 

assign a score to the goal. 

■ n Thesvstem as recited ,nclaim4,whereinthe score comprises a. least oneofa 

rtCoTa— eractor,asu^^^^ 

7. (Canceled) . . . 

S ^revtousivPresented, ^e .stent as recite, in c.a^ 5, wherein ..e ar,a,ys.s en.„e .s 

■Leroon«^redtouse,hescorestose,ectagoa,to.epursued. 

■ Uemtodetectanintrusionafteroccurrenceoftheintruston. 

,0 (Ori^nai) The system as raited in elaitn 9, wherein the rn.es are configured .^^^^^^ 
SsUtLorreiateandevaiuatefactsfiontaplnraiityofsonrcesoffacts. 

in claim 10 wherein the plurality of sources compnses 
11 (Original) The system as recited m claim lu, wn 
primary, secondary, and indirect sources of facts. 

Hted in claim 10 wherein the rules are further configured to 

.it.d in claim 2 wherein the analysis engine is configured to 

„ (Original, The system as rectted in Oaint .4, wherein the analysis engine is «trther 

^^^f^guri to provide baCgtonnd infomtaUon relating to the analysts. 
,.,revio„s,yPresen.ed,Amethodimplementedonacompnterfordetecting,n,™stonsona 

host, comprising the steps of: 

a) providing a sou^e ot ™les and a --e oftacts^ ^^^^ 

b) forward- and backward-chamtng nsing facts from the sonr 

source of rules by: 

(i) using forward chaining to generate one or more inferences. 
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(ii) determining which, if any, of the inferences matches a sub-goal associated 
with a rule from the source of rules; 

(iii) with respect to each inference that matches a sub-goal, applying backward 
chaining from that sub-goal's potential parents into other sub-goals; and 

(iv) for each sub-goal reached either by forward or backward chaining, 
determining whether the sub-goal indicates an intrusion has taken place, 

wherein continuations are used to schedule the processing of a goal based at least in part on 
whether the data required to continue processing the goal is available and based at least in 
part on a subdivision of rules into segments which each become a rule. 

17. (Currently Amended) A computer program product for detecting intrusions on a host, the 
computer program product being embodied in a tangible computer readable medium having 
machine readable code embodied therein for performing the steps of: 

a) providing a source of rules and a source of facts; 

b) forward- and backward-chaining using facts from the source of facts and rules from the 
source of rules by: 

(i) using forward chaining to generate one or more inferences: 

(ii) determining which, if any, of the inferences matches a sub-goal associated 
with a rule from the source of rules; 

(iii) with respect to each inference that matches a sub-goal, applying backward 
chaining from that sub-goal's potential parents into other sub-goals; and 

(iv) for each sub-goal reached either by forward or backward chaining, 
determining whether the sub-goal indicates an intrusion has taken place, 

wherein continuations are used to schedule the processing of a goal based at least in part on 
whether the data required to continue processing the goal is available and based at least in 
part on a subdivision of rules into segments which each become a rule. 

18. (Previously Presented) A method as in claim 1, wherein the subdivision of rules is organized 
into a set of graphs. 

19. (Previously Presented) A method as in claim 18, wherein information associated with 
connections in the set of graphs are used at least in part to schedule the processing of a goal. 
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INTERVIEW SUMMARY UNDER 37 CFR Shl33 AND MPEP §713,04 

A telephonic interview in the above-referenced case was conducted on July 1, 2005 
between the Examiner and the Applicants' undersigned representative. The Office Action 
mailed on May 13, 2005 was discussed. Specifically, the rejection of claim 17 under 35 U.S.C. 
101 and the proposed amendment set forth herein was discussed with the intent to place the 
claims in better condition for allowance or appeal. The examiner has indicated claim 17 would 
be allowable if amended to exclude "a carrier wave" as a "computer readable medium." 

The Applicants wish to thank the Examiner for his time and attention in this case. 
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